Code Signing Policy Modification Through Built-in tools

edit

Code Signing Policy Modification Through Built-in tools

edit

Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*
  • endgame-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Elastic
  • Host
  • Windows
  • macOS
  • Threat Detection
  • Defense Evasion
  • Elastic Endgame

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where host.os.type == "windows" and event.type == "start" and
(
  /* Windows */
  ((process.name: "bcdedit.exe" or process.pe.original_file_name == "bcdedit.exe") and   process.args: ("-set", "/set") and
  process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS")) or

  /* MacOS */
  (process.executable: "/usr/bin/csrutil" and process.args: "disable")
)

Framework: MITRE ATT&CKTM